ICO issues record fine against British Airways

Published on 07 November 2019

What did it take for the ICO to issue its largest ever fine against British Airways?

The key takeaway

The ICO is embracing multi-million pound fining levels for GDPR breaches, in this case £183m vs British Airways and (in a separate investigation) £100m vs Marriott. The days of the £500k cap under the old Data Protection Act are well and truly over. It’s time to check and double-check your data security processes.

The background

The data breach occurred after users of the British Airway’s website were diverted to a fraudulent website, which collected details of roughly 500,000 customers in June 2018, merely weeks after the introduction of the GDPR. This occurrence is primarily attributed to weak security provisions, which allowed the attackers to access consumer details. The stolen data consisted of log-in details, card numbers (including expiry dates and security codes) and travel details, as well as basic consumer information such as names and addresses.

The ICO, acting on behalf of the other EU member state data protection authorities, was notified of the incident in September 2018. It appears that the details were extracted at the point of their entry into the British Airways website or app and then sent onto a third party. Websites that have embedded code from external suppliers are particularly at risk to this particular kind of incident, referred to as a “supply chain attack”. British Airways co-operated with the ICO’s investigation, no doubt hoping to avoid such a large fine – on the basis that the ICO had previously stated that “companies who are … cooperating with EU regulators can expect to engage the advisory and warning end of our toolkit”. 

The decision

Unfortunately for British Airways, cooperating was not enough to avoid a gargantuan fine of £183.39m, or around 366 times more than the ICO’s previous largest fine of £500k (the top cap under the old Data Protection Act). In the words of technology correspondent Rory Cellan-Jones, this will “send a shiver down the spine of anyone responsible for cybersecurity at a major corporation”.

The proposed fine amounts to 1.5% of British Airway’s worldwide annual turnover in 2017. Initially this seems substantial, however in the light of the maximum permissible penalty, which is limited to 4% of the annual turnover of the preceding financial year, the proposed fine is still far off from the worst case scenario for British Airways. The extent of the final penalty will only be known after British Airway’s effort to make an appeal has gone forward.

Why is this important?

This decision is a clear indication that we are now well and truly living in a post-GDPR world where multi-million pound fines are likely to become the norm. Marriott has also recently been fined a whopping £99.2m. But it could be that the ICO is only just starting to flex its muscles. As Mathematician Clive Humby said way back in 2006, “Data is the new oil”. It seems that legislation has now caught up, by sanctioning breaches with the value it holds. 

Any practical tips?

Maintaining effective cyber-security is no longer simply important, it’s absolutely critical. Ignore it by failing to keep up with the latest IT defences and you could be exposing your company to the biggest threat that it’s ever faced - namely an angry, GDPR-empowered ICO armed with multi-million pound fines.

Stay connected and subscribe to our latest insights and views 

Subscribe Here